Widespread availability and use of computer systems and the Internet has resulted in electronic financial transactions becoming commonplace. The use of financial instruments such as credit cards, debit cards and bank accounts to purchase goods or services from online merchants or vendors is extremely convenient. However, the number of fraudulent transactions has also increased substantially. Merchants have little protection against fraudulent credit or debit transactions, particularly in “card not present” (CNP) circumstances (i.e., where card holders’ bona fides cannot be verified by the use of conventional signature comparison or identification checks at the point of sale), and may be responsible the costs of such transactions and transport costs in relation to the goods. To make matters worse, merchants may additionally be responsible for intra-bank dishonour fees.
During a payment transaction using a payment card (e.g., a credit, debit, or stored value card), it is beneficial to verify a purchaser's (cardholder's) ownership of the card or an account associated with the card to avoid a variety of potential problems, such as unauthorised use, disputed use, or a later change of mind on the part of the purchaser (also known as ‘friendly’ or ‘I didn't do it’ fraud). Purchaser authentication is the process of verifying a cardholder's ownership of an account. A common method of authenticating a purchaser's ownership of an account occurs routinely at a point of sale during what is called a “card present” transaction. A card present transaction involves a merchant's representative swiping the card though a card payment terminal to verify account status and credit line availability, and then checking that the signature on the back of the card matches the purchaser's signature. This may be accompanied by checking of a photographic identification document such as the purchaser's driver's license. This process both identifies the purchaser and serves to provide specific authorisation for the particular transaction. Providing the merchant follows the specific guidelines for such transactions, the merchant will generally be guaranteed payment for the amount authorised less discount and fees.
In CNP transactions such as those occurring online, through the mail, or over the telephone, payments are not generally guaranteed to the merchant. The primary reason for CNP transactions not being guaranteed is that purchasers (cardholders) are not authenticated in situations where the merchant and the purchaser are not physically together with the card at the time of processing the transaction. This gives rise to financial risks associated with the transaction, which are generally carried by the merchant. Such risks include: chargebacks of payment transactions to online merchants (e.g., “disputed” use transactions), fraud for both merchants and cardholders (e.g., unauthorised use of stolen account information to purchase goods and services online), and increased expenses for financial institutions (which are often passed on to the merchant in any case). This unfortunately also leads to an increased public perception that buying goods and services online is unsafe and not secure, which prevents some consumers from purchasing online.
Disputed use transactions occur when a purchaser who is the authorised card holder disputes that a transaction occurred, even if they knowingly initiated such transaction but may have later changed their mind. Whilst rarer than unauthorised use or fraudulent transactions, disputed transactions nevertheless represent a risk for merchants as they are subject to potential chargebacks. Merchants often rely on delivery services with “signature on delivery” as the principal means to combat this type of fraud, however, this can be often be ineffective as parcels can be signed by others, the signature may be illegible or differ from cardholder's normal signature, or the parcel delivered to addresses that differ from the billing address. All of these have the potential to create a scenario for possible dispute with the cardholder and are susceptible to a chargeback.
Given the continuing growth of electronic commerce, it is desirable to provide methods capable of authenticating purchasers as the authorized cardholders and/or individual transactions on a case-by-case basis. This will potentially benefit all legitimate payment system participants including purchasers/cardholders, merchants, card schemes, and financial institutions.
Authenticating a purchaser as being the authorised cardholder (or a person authorised by the cardholder) and linking an authorisation to each transaction (just as in card present transactions) during online purchase transactions will reduce the levels of fraud, disputes, retrievals and charge-backs, which will consequently reduce the costs associated with each of these events. Authenticating the purchaser as being the authorised cardholder (or a person authorised by the cardholder) also addresses consumer security concerns and will likely lead to increased online sales. Given the foregoing, a system for authenticating both the identity of the purchaser and their authorisation regarding the specific online transaction on a case-by-case basis would be desirable during card not present (CNP) transactions. Such an authenticating system should preferably be relatively easy to implement and use, require a minimal investment of resources, and provide a high level of confidence surrounding the authorisation of the transaction. Such an authenticating system should preferably also cater for cross-currency transactions, in which a purchaser's card issue currency is different to the transaction currency of the seller or merchant.
Various checks are currently used to identify and discard fraudulent transactions. For example, credit card gateways generally recommend Address Verification Service (AVS) and Card Verification Value (CVV) checks. Failure of an AVS check suggests that the purchaser as the originator of the transaction may not be the owner of the card. Failure of a CVV check suggests that the originator of the transaction may not be in possession of the actual card. However, these checks are not foolproof as fraudsters are generally able to obtain the necessary information with sufficient effort. These checks, even if provided at time of transaction, do not always protect the merchant from ‘chargebacks’ whereby the authorised card holder can dispute that the transaction was authorised and claim that it was initiated by an unauthorised third party.
Another check is to lookup a purchaser's IP address with a geo-location service provider that also detects anonymous proxies. In most cases, the general geogaphical location of the IP address should match either the purchaser's billing or shipping address. Orders from anonymous proxies are generally considered to represent a higher risk because fraudsters frequently use anonymous proxies to hide their actual IP address.
Another check is to compare the geographical location of the purchaser's IP address against a list of high risk countries or territories.
Another check is to determine whether the goods will be shipped to a mail-forwarding company when the shipping and billing addresses are different. Such orders could be risky as the goods may be forwarded overseas.
Another check is to determine whether the zip or post code provided by the purchaser corresponds to the city and state for both the billing and shipping addresses. The AVS check referred to above only checks the zip code and numeric portion of the street address. Fraudsters may not always be in possession of the complete address and may be too lazy to do a zip code reverse lookup for additional address information.
Another check is to request the purchaser to forward a signed authorisation form with copies of the front and back of the card via facsimile. However, this is inconvenient and is thus generally only requested under suspicious circumstances. Furthermore, fraudsters have been known to create credit card images using graphic design software.
Another check is to request the purchaser to provide the bank name and customer service telephone number as listed on the card. Customer service may then be called to determine whether information provided matches bank records of the cardholder. This check is geneially effective but is time-consuming and inconvenient.
Another check is to provide the purchaser with a personal identification number (PIN) in advance of any transactions for use with each transaction. This is considered effective but purchasers generally need to apply separately and in advance for a PIN for CNP transactions, and can often misplace or confuse PINs.
A need exists for improved methods and systems that provide evidence or verify that an account or card holder has authorised a specific transaction or payment from a specific account or card, without introducing undue delays and/or unnecessary additional transactions or operations.